4. Review of Nuclear Security Series
• NSS No.17 Computer Security for Nuclear Facilities
• NST036 Computer Security of Nuclear I&C Systems
5. Review of NSS No. 17
– Awareness publication
– Safety I&C systems are assigned Levels 1 to 3
– No categorization hierarchy provided for PPS
– Security Objective is not stated for many computer security measures
– Risk assessment in general terms
– Non-safety items may impact on safety systems and require protection
6. Review NSS No. 17 - Example
EXAMPLE
– Zone 1: Safety relevant digital and software based I&C systems
– Zone 2: Process-control and Process-computing systems
e.g. 2A = Reactor near area, 2B = Main Control Room
– Zone 3: Administrative computer systems
e.g. 3A = Physical Protection Systems
3B = Telecommunication Systems
– Zone 4: External systems
e.g. 4A = Systems for Internet Services and data exchange
9. What NSS17 does not provide?
1. Coherence with IAEA Safety Guides
2. Robust Risk Assessment Method
3. Safety and Security Considerations when applying security controls –
unique to Nuclear I&C.
4. Computer Security measures for the entire I&C System lifecycle.
5. Goal based guidance
10. Approved for Publication
NST036 – Computer Security of I&C Systems
– Nuclear I&C designers have robust processes in place to ensure systems
provide for safe, reliable, and deterministic behavior.
– NST036 aims to overlay security considerations on top of these processes to
meet safety and security objectives.
– Developed in tandem with SSG-37and SSG-39 IAEA Safety Guide for I&C
Systems NPPs and RRs.
11. NST036 Objective
– Aims to provide guidance on computer security for I&C systems at
nuclear facilities.
– This guidance includes safety and security considerations which
have to be addressed in order to provide security throughout the
life cycle of an I&C system.
– Application of this guidance may also benefit safety and
operational performance of nuclear facilities.
12. NST036 Scope
– The application of computer security measures to I&C systems
which provide safety or auxiliary functions at nuclear facilities.
– I&C systems used for Nuclear material accounting and control
(NMAC) or nuclear security, such as physical protection and
security monitoring, where applicable.
– Considers the application of computer security measures to the
development, simulation and maintenance environments.
13. Potential Consequences
The effects of compromise on a system functions arranged from
worst to best cases are:
i. Function is indeterminate
ii. Function has unexpected behaviours or actions
iii. Function fails
iv. Function performs as expected (i.e. fault tolerant)
14. Compromise examples
– Failure (e.g. Denial of service/Loss of Function) Block operator’s ability to
observe and/or respond to changing system conditions, slow the system to
a crawl.
– Interception (Man in the Middle) Interception and modification of data
stream between nodes
– Unobserved System Monitoring/Modification; Unauthorized access and
data recording/modification
– Operator Spoofing leading to Incorrect Action Causing operator to take
incorrect action. Direct manipulation of computer/control system
Ref: Tutănescu, Ion, Ass. Prof., Ph.D., Prof. Emil Sofron, Ph.D., Anatomy and Types of Attacks against
Computer Networks, Department of Electronics and Computers, University of PiteÅŸti, ROMANIA.
15. Safety-Security Considerations
– Computer security measures that protect the human–system
interface (HSI) should be implemented so that they do not
adversely affect the operators’ ability to maintain the safety of the
facility.
– Adverse impacts such as the interception and modification of
process data to the HSI (e.g. spoofing) with the aim to preventing
or delaying the operator from actuating a safety function (e.g.
manual trip) should also be considered.
16. Safety-Security Considerations
– If there is a conflict between safety and security, then design
considerations taken to assure safety should be maintained
provided that a compatible solution to ensure security is pursued.
– Compensatory computer security measures should be
implemented to reduce the risk to an acceptable level and be
supported by a comprehensive justification and security risk
analysis.
– The implemented measures should not rely solely upon
administrative controls for an extended period.
– The absence of a security solution should never be accepted.
17. Review – Computer Security Measures
Types of protective measures
– Administrative Controls – policy, procedures and practices designed to
safeguard computer systems through personnel behaviors. These are
directive in nature specifying what employees should and should not do.
– Physical Controls – physical barriers for the protection of computer and
supporting assets from physical damage and physical access. (fences,
physical protection systems, locks, doors, guards, fire protection)
– Technical Controls – computer hardware/software solutions for the
protection, detection, mitigation and recovery from intrusion or malicious
acts. (e.g. firewalls, IDS, anti-virus software, access control)
18. Facility Level Risk Assessment
– Applies to all I&C systems.
– Determine the effects that may result from cyber-attacks which
successfully exploit vulnerabilities in the system.
– Identifies facility I&C systems (including supporting and complimentary
systems) that, if compromised, could have an adverse effect on safety,
security of nuclear material, or accident management.
19. System Level Risk Assessment
– I&C system components should be assessed and assigned to the
appropriate security level based upon the security risk assessment.
– Malicious actions that could change process signals, equipment
configuration data, or software should be considered in the I&C system
security risk assessment.
– Cyber-attack should be considered as an event that may occur at any point
during the I&C system life cycle.
20. NST036 – General Guidance
NST036 (All I&C systems)
– Identify and document the standards and procedures that will conform with the
applicable security policies to ensure the system design products (hardware, software,
and firmware) minimize:
– undocumented code (e.g. back door coding),
– malicious code (e.g. intrusions, viruses, worms, Trojan horses or bomb codes), and
– other unwanted, unnecessary or undocumented functions or applications with the aim of
minimizing attack surface.
NSS 17 (Computer Security Plan components)
– Platform and application security (e.g. hardening);
21. System Hardening
Definition
– The process of securing a system by reducing its surface of vulnerability, which is larger
when a system performs more functions;
– Reducing available ways of attack typically includes changing default passwords, the
removal of unnecessary software, unnecessary usernames or logins, and the disabling
or removal of unnecessary services.
How it Works
– Principle that a single-function system is more secure than a multipurpose one.
– Options: Kernel Patch, Closing Network Ports, IDS/IPS
– Hardening Scripts/Applications (MBSA, Lynis, Bastille)
22. System Hardening Example
– Nessus scanner used to identify vulnerabilities and missing patches.
– Hardening of System removed all Critical Vulnerabilities and reduced overall risk.
Ref: J. Sladek - OPG
http://www.tenable.com/products/nessus-vulnerability-scanner
23. Security Architecture
– Highest security level (i.e. requiring the greatest degree of security) should only be
connected to systems in lower protection categories via fail-secure, deterministic,
unidirectional data communication pathways.
– The direction of these data pathways should be limited to transmission of data from
the highest security level to the devices in the lower security levels (i.e. lower levels are
not allowed to transmit data to the higher level).
– Exceptions are strongly discouraged and may only be considered on a strict case by
case basis and if supported by a complete justification and security risk analysis.
– Aligns with NSS No. 17
24. Potential Control (Data Diode)
– Data diodes use physical means to ensure that data can only flow in one direction.
– This prevents the use of any protocol that requires handshaking (including TCP/IP).
– Designs using data diodes must consider the possibility that data packets will be
dropped. This can be addressed through redundancy and error correction codes.
26. Data Diodes
– Data diodes can protect systems from network-based attacks.
– They do not protect against malware from mobile devices or removable media.
– Data diodes do not protect confidentiality of data that is transmitted over the network.
– If configured correctly security event messages can be sent through the diode to a
central logging and monitoring system.
27. NST036 – Operations and Maintenance
NST036 (All I&C systems)
– Operations and maintenance activities should be analysed to ensure that computer
security measures are implemented to prevent introduction of malicious software to
the I&C system.
NSS 17 (Security Level 1)
– Strict organizational and administrative procedures apply to any modifications,
including hardware maintenance, updates and software modifications.
28. Potential Control - Application Whitelisting
Definition
– Only software which is on a list of software that is considered safe to run is permitted
to run. All other software is blocked.
How it Works
– A signature is generated and stored in the whitelist. The signature typically is the output of a
cryptographic function applied to the program.
– When the program is run, the signature is recalculated and compared to the whitelist.
– If a program is changed then the signature will change and the program will be blocked.
– Any new program installed on the system will not have a signature and will be blocked
29. Potential Control - Application Whitelisting
Advantages
– Only requires signature file updates when the software is modified
– Deterministic behavior - the time to generate the signature is the same every time.
Disadvantages
– Inappropriate design may impede the ability of a system to respond as per its design requirements. Care
should be taken in designing the whitelist.
– Hard to use in an environment where programs are changed frequently.
– May not be effective against programs that insert themselves into memory.
– Not effective in interpreted programs. The interpreter will be whitelisted, but the input files will not be.
For example:
python < badscript.py
30. NST036 – Operations and Maintenance
NST036 (All I&C systems)
– Calibration, testing and maintenance activities may involve the use of removable media
and mobile devices. Computer security measures should include considerations for:
– The implementation of effective administrative and technical controls in the safe and secure handling
of the digital devices.
– Verification of the integrity of all control set points with the aim to prevent and protect them from
undesired changes; and
– Use of qualified personnel (including 3rd parties) that have received training in performance of these
activities based on computer security requirements.
NSS 17 (Security Level 1)
– Removable media must be controlled in accordance with security operating procedures.
– Every data entry to the systems is approved and verified on a case by case basis
– Measures to ensure the integrity and availability of the systems are typically explained as a part of the
safety cases.
31. Potential Control - Logfile based IDS
Function
– Active device that analyses logfiles from one or more systems to identify security events.
Advantages
– Inexpensive and easy to use
Disadvantages
– The systems being monitored must support remote access to event logs or remote
transmission of events to the IDS. This may not be possible on legacy ICS systems.
– Different structure and format of logfiles for different systems.
32. Network Intrusion Detection System
A network based IDS is a device which analyzes network traffic to identify intrusion.
– Does not require changes to the ICS.
– Intrusion detection signatures are required.
– The signatures for ICS systems are different from signatures used in corporate
environments.
– IDS aimed at corporate environments assume that there is a rigerous patch process in
place and old signatures are dropped to maintain adequate performance. This is not the
case with ICS.
– ICS specific signatures must be used to protect I&C equipment.
– When ICS network traffic is deterministic and uses limited protocols, effective rules can be
developed which identify anomolous traffic.
33. Host based IDS
– Host based firewall can identify new network communications and block them by default.
An alert can be generated.
– Antivirus may be used to block malicious software based on a blacklist. This may not work
so well in an ICS environment:
– Scanning is non-deterministic based on number of signatures.
– Requires regular signature updates and may require scanning engine updates.
– Vendors assume patching in place so old signatures are dropped.
– When base O/S goes out of support, antivirus vendors will drop support for the O/S. No new signatures,
no updates to the engine.
– Host-based IDS may also interpret network traffice in realtime based on signatures and
block traffic.
– These solutions all require software to be installed on the system to be protected.
Additional system loading may affect real-time performance. May also block needed
software from running.
34. NST036 – Vendors
– Vendor and sub-vendor organizations should have robust and verifiable computer security processes.
– Computer security requirements and controls should be met and applied respectively by vendors including
support provided on site, at the vendor’s workplace, and during any transit or storage of purchased goods.
– The vendor should have a computer security management process.
– The applicable requirements for computer security at sites where a vendor performs activities with I&C
systems should be clearly and contractually specified based on security level by the operator.
– A process should exist between the facility (i.e. operators) and vendor for either organization to report
vulnerabilities and to coordinate response and mitigation efforts.
– The vendor should demonstrate that they have a credible mechanism for receiving reports of vulnerabilities,
assessing them and reporting them to the nuclear facility during the entire period of their contractual
service. This may extend beyond any normal warranty period to support the life cycle of the installed
equipment.
– Audits and assessment of vendors responsible for I&C design, development, integration, and maintenance
should be conducted and the results reported to the operator.